id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 7263 Don't check that user has entered e-mail instead of username Valera Grishin nobody "Current django/trunk/contrib/admin/views/decorators.py has function staff_member_required which checks whether user supplied an e-mail address instead of username in the login form. If so and e-mail is found in the user database it will suggest (via error message) the user to use username instead. The error message will also show the username found by given e-mail. Here is the code in the staff_member_required function: {{{ if user is None: message = ERROR_MESSAGE if '@' in username: # Mistakenly entered e-mail address instead of username? Look it up. users = list(User.objects.filter(email=username)) if len(users) == 1: message = _(""Your e-mail address is not your username. Try '%s' instead."") % users[0].username else: # Either we cannot find the user, or if more than 1 # we cannot guess which user is the correct one. message = _(""Usernames cannot contain the '@' character."") return _display_login_form(request, message) }}} This feature actually works as lookup and partially uncovers sensitive information. It can be used to: * check whether certain e-mail exists (at all) * check whether certain e-mail is registered (on certain site) * find username by e-mail In order to solve this issue the logic can be simplified as follows: {{{ if user is None: message = ERROR_MESSAGE if '@' in username: message = _(""Usernames cannot contain the '@' character."") return _display_login_form(request, message) }}} Corresponding patch is attached." closed contrib.admin dev fixed nfa-blocker Accepted 1 0 0 0 0 0